Solved

Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block inheritance set?

Posted on 2008-10-15
5
385 Views
Last Modified: 2010-04-21
Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block policy inheritance set?  I want to block a software GPO policy on particular computers, but I don't want to move the computer(s) to their own OU.

Thank you!
0
Comment
Question by:cc_mbx
5 Comments
 
LVL 13

Accepted Solution

by:
martin_babarik earned 200 total points
ID: 22728410
Hello.

yes it quite simple: put all of those computers to a security group and in Group policy management console select the GPO you want to block, switch to a Delegation tab, add a group here to a list, then select the group, click Advanced and assign them Deny permission for Read and Apply group policy object.
Martin
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 100 total points
ID: 22729395
It's important to note that the computers in question will need to be rebooted after they have been added to the security group in question.
0
 
LVL 6

Assisted Solution

by:deiaccord
deiaccord earned 200 total points
ID: 22729539
Another alternative is when you link the GPO associate it with a WMI filter.

To create a WMI filter under Group Policy Management you should have a WMI filters section for the domain in question. Create a new filter with settings something like the below

Namespace: root\CIMV2
Query: SELECT * FROM Win32_ComputerSystem WHERE Name <> 'Computer1' OR Name <> 'Computer2'

Attach this to your GPO and computers called Computer1 or Computer2 will not get the GPO applied to them
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 22729705
Thank you Laura for adding this comment, quite important:-)
Martin
0
 

Author Closing Comment

by:cc_mbx
ID: 31506608
Thank you!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question